Resources

Contact

Responsible Disclosure

Even though our services are based around finding security bugs in web applications, we are not as naive as
to think that our own applications are 100% flawless. We take security issues seriously and will respond
swiftly to fix verifiable security issues.
If you are the first to report a verifiable security issue, we'll thank you with a place
at our hall of fame page.

How should reports be formatted?

Who can participate in the program

Anyone who doesn't work for Detectify or partners of Detectify who reports a unique security issue in scope
and does not disclose it to a third party before we have patched and updated may be upon their approval
added to the Detectify Hall of Fame.

Which domains are in scope?

The domain detectify.com and any subdomain except for these:

blog.detectify.com

labs.detectify.com

support.detectify.com

career.detectify.com

If you can however prove that a bug under these domains have significant impact (for example fetching
content on detectify.com from blog.detectify.com), a bug on these domains may qualify
anyway.

What bugs are eligible?

Any typical web security bugs such as:

Cross-site Scripting

Open redirect

Cross-site request forgery

File inclusion

Authentication bypass

Server-side code execution

What bugs are NOT eligible?

Typical "no impact" bugs such as:

Missing Cookie flags on non-session cookies or 3rd party cookies

Logout CSRF

Social engineering

Denial of service

SSL BEAST/CRIME/etc

Other guidelines

So you're actually reading this? Good! First off, please don't perform research that could impact other
users. Secondly, please keep the reports short and succinct.
If we fail to understand the logics of your bug, we will tell you.

Detectify reserves the rights to discontinue the reward program without previous notice at any time.